Strong opinions, weakly held

I didn’t really pay much attention when Adobe’s massive data breach was first reported, but now that all of the details have emerged, we know that the scope of the breach is truly spectacular. The Naked Security blog has the details. This episode is particularly sad because the best practices around password storage are well understood. Even though practices like using slow hashing algorithms are pretty new, and I wouldn’t have expected Adobe to have adopted them, the basic approach of storing a salted hash has been in wide use for quite some time.

I hope Adobe conducts a productive investigation of the incident and shares the systemic failures that led to the breach — not just the user database being stolen, but also the decision not to migrate to a more secure method of password storage over time. My guess is that Adobe not only has many Web properties, but also native applications that need to authenticate, and that they probably weren’t abstracted cleanly from the database used to store the encrypted passwords, so migrating to a new system was always deemed to be too low priority to be worth the extensive effort required.

1 Comment

I’d also bet that there wasn’t a single “Fix Passwords” project but that it was rolled into larger projects with thing which the site owners wanted (profiles, recommendations, etc.). Hopefully the next time someone says “We have to fix this now” – and the fact that this was a backup system suggests that happened — they’ll be able to get backing to do a non-trivial project which doesn’t add new features.